Jack Wallen walks you through the process of testing to see if your Linux machines have been patched for the Meltdown and Spectre vulnerabilities.
Meltdown and Spectre have spent a lot of time in the spotlight lately—with good reason. Both of these vulnerabilities should be taken seriously. If you aren't aware of these two flaws, effectively they take advantage of CPU speculative instruction execution. The end result of the vulnerability is that, under the right conditions, data can be accessed.
All three of the main platforms, Windows, Linux, and macOS, have reportedly been patched for both Meltdown and Specter. But how can you know, for certain, the patch has been applied to your Linux machines? If you open a terminal window and issue the command uname -r and are returned with one of the following kernels, you are okay:
Those are all stable kernels and if you're running a machine with Intel, AMD, or ARM processors, you need to check for this immediately. If your machine isn't running one of the above kernels, upgrade.
But what if you run a non-stable kernel? Maybe you've opted to go a cutting edge kernel and cannot be certain, based on a kernel release number, if your machine has been patched for Meltdown and Spectre. Or, for instance, you run a distribution like Elementary OS and your kernel (like mine) is 4.13.0-26? What then?
Fortunately, there's a quick way to find out if your running kernel has been patched against these vulnerabilities. What you do will depend upon your distribution. Let me show you.
If you're running Arch Linux or one of its derivatives, you need to open a terminal window and issue the following two commands:
zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz dmesg | grep iso
If your machine is patched against the vulnerabilities, the first command will return:
The second command will return a message, indicating user page tables isolation has been enabled (Figure A).
If you do not see both of the above outputs, you need to immediately upgrade with the command:
sudo pacman -Syu
For Ubuntu derivatives, open up your terminal window and issue the following command:
grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
If your system is patched, the command will report as such (Figure B), otherwise it will indicate it is not so by returning unpatched :(.
If you see the unpatched warning, run an immediate upgrade. Your kernel should update. Reboot the system and then run the command a second time. The second iteration of the command should report the system has been patched (Figure C).
If you're not running either Arch or Ubuntu derivatives, there's a way for you to check as well. Open up a terminal window and issue the following command:
git clone https://github.com/speed47/spectre-meltdown-checker.git
NOTE: You will need to have git installed for the above command to run.
Once the above command completes, change into the newly created directory with the command cd spectre-meltdown-checker. Set the correct permissions for the checker file with the command chmod u+x spectre-meltdown-checker.sh and then execute the file with the command ./spectre-meltdown-checker.sh. The command will run its check and report immediately (Figure D).
Now you know
At this point, you know for certain if your Linux distribution is patched against Meltdown and Spectre. If you find out that it isn't, make sure to upgrade the kernel immediately, otherwise your systems will be vulnerable.
- Meltdown and Spectre patches now available for Oracle systems (TechRepublic)
- This fake Spectre/Meltdown patch will infect your PC with malware (TechRepublic)
- Fresh Meltdown-Spectre warning as factory systems hit by post-patch glitches (TechRepublic)
- Meltdown-Spectre patch: Watch out for random reboots warns Intel (TechRepublic)
- Windows Meltdown patch: No more security updates for your PC if your AV isn't compatible (TechRepublic)
- Microsoft: No more Windows patches at all if your AV clashes with our Meltdown fix (ZDNet)